[Question] - Tokens, Previews, and Automated CI in NuxtHub #480
Comments
|
If the attacker has the user token and the project key, he can deploy via local terminal (its a feature ^^) I have a PR where I document how to build a gitlab-ci. I added rules, which deploys automatically only in main and staging branches. You have the ci code, so you are free to change the rules like you want. The most valuable data is the user access token. Secure this as good as you can (do not store it in the repo), then you should be good. |
|
Thank you for your reply. However, I would like to know if the attacker could retrieve the token by executing code from the server side. For example, the attacker could write export default defineEventHandler(() => {
return useRuntimeConfig().hubProjectDeployToken
})Is this even possible? I know that the token is encrypted, but I would still like to confirm. |
Hello everyone,
We are working on a project where many developers can create and push their own branches in the repository. Since NuxtHub automatically deploys every branch by default, we are concerned that this could lead to some security issues. In particular, we are concerned that an attacker (using a hacked GitHub account) could push malicious code and gain access to our tokens from both NuxtHub and Cloudflare.
We could change our GitHub action to only deploy the
mainbranch and only allow write actions to themainbranch via pull requests. However, we would like to know more about this topic. I believe there are protections in place, but I have not been able to find clear documentation on the subject. Could someone on the team explain how this is handled?We are also wondering if a breach in one project could affect the other projects in the team, or if there is a separation between them.
Thank you very much.
The text was updated successfully, but these errors were encountered: